browserforce

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill explicitly grants arbitrary Playwright/JavaScript execution inside the user's real, already-logged-in Chrome (via an extension + relay), with access to DOM, cookies, extensions and the ability to navigate/click/fill — a capability that can readily be abused to exfiltrate credentials, session tokens, page data, or perform actions on the user's behalf, and the relay/extension model creates a remote-access vector even though no explicit exfiltration code is present in the docs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly lets the agent open arbitrary web pages via browserforce (e.g., the "Navigate and read a page" example using browserforce -e with page.goto(...) and snapshot()/evaluate()), meaning the agent will ingest untrusted public web content from arbitrary URLs that can influence subsequent actions.